VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-5kqm-99x8-aaak

Essentials
Severities (92)
References (42)
Severity details (15)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-5kqm-99x8-aaak
Aliases	CVE-2023-3446
Summary	Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ('p' parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulernable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the '-check' option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
Status	Published
Exploitability	0.5
Weighted Severity	4.8
Risk	2.4
Affected and Fixed Packages	Package Details

Weaknesses (5)

CWE-1333	Inefficient Regular Expression Complexity
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-400	Uncontrolled Resource Consumption
CWE-606	Unchecked Input for Loop Condition

System	Score	Found at
cvssv3	5.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-3446.json
epss	0.00140	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00140	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00140	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00140	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00140	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00140	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00140	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00140	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00140	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00140	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00140	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00140	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00202	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00202	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00202	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00241	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00785	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.00807	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.14671	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.14671	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.14671	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.14671	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.14671	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.14671	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.14671	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.14671	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
epss	0.20996	https://api.first.org/data/v1/epss?cve=CVE-2023-3446
cvssv3.1	5.3	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	5.3	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb
ssvc	Track	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb
cvssv3.1	5.3	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528
ssvc	Track	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528
cvssv3.1	5.3	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c
ssvc	Track	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c
cvssv3.1	5.3	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23
ssvc	Track	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23
cvssv3	5.3	https://nvd.nist.gov/vuln/detail/CVE-2023-3446
cvssv3.1	5.3	https://nvd.nist.gov/vuln/detail/CVE-2023-3446
cvssv3.1	5.3	https://www.openssl.org/news/secadv/20230719.txt
generic_textual	LOW	https://www.openssl.org/news/secadv/20230719.txt
ssvc	Track	https://www.openssl.org/news/secadv/20230719.txt

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-3446.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-3446
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3446
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb
		https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528
		https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c
		https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23
		https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html
		https://security.netapp.com/advisory/ntap-20230803-0011/
		https://www.openssl.org/news/secadv/20230719.txt
		http://www.openwall.com/lists/oss-security/2023/07/19/4
		http://www.openwall.com/lists/oss-security/2023/07/19/5
		http://www.openwall.com/lists/oss-security/2023/07/19/6
		http://www.openwall.com/lists/oss-security/2023/07/31/1
		http://www.openwall.com/lists/oss-security/2024/05/16/1
1041817		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041817
2224962		https://bugzilla.redhat.com/show_bug.cgi?id=2224962
cpe:2.3:a:openssl:openssl:1.0.2:-::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2:-::::::
cpe:2.3:a:openssl:openssl:1.1.1:-::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.1.1:-::::::
cpe:2.3:a:openssl:openssl:3.0.0:-::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:3.0.0:-::::::
cpe:2.3:a:openssl:openssl:3.1.0:-::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:3.1.0:-::::::
cpe:2.3:a:openssl:openssl:3.1.1:-::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:3.1.1:-::::::
CVE-2023-3446		https://nvd.nist.gov/vuln/detail/CVE-2023-3446
GLSA-202402-08		https://security.gentoo.org/glsa/202402-08
RHSA-2023:7622		https://access.redhat.com/errata/RHSA-2023:7622
RHSA-2023:7623		https://access.redhat.com/errata/RHSA-2023:7623
RHSA-2023:7625		https://access.redhat.com/errata/RHSA-2023:7625
RHSA-2023:7626		https://access.redhat.com/errata/RHSA-2023:7626
RHSA-2023:7877		https://access.redhat.com/errata/RHSA-2023:7877
RHSA-2024:0154		https://access.redhat.com/errata/RHSA-2024:0154
RHSA-2024:0208		https://access.redhat.com/errata/RHSA-2024:0208
RHSA-2024:0408		https://access.redhat.com/errata/RHSA-2024:0408
RHSA-2024:0888		https://access.redhat.com/errata/RHSA-2024:0888
RHSA-2024:1415		https://access.redhat.com/errata/RHSA-2024:1415
RHSA-2024:2264		https://access.redhat.com/errata/RHSA-2024:2264
RHSA-2024:2447		https://access.redhat.com/errata/RHSA-2024:2447
USN-6435-1		https://usn.ubuntu.com/6435-1/
USN-6435-2		https://usn.ubuntu.com/6435-2/
USN-6450-1		https://usn.ubuntu.com/6450-1/
USN-6709-1		https://usn.ubuntu.com/6709-1/
USN-7018-1		https://usn.ubuntu.com/7018-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-3446.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:26:22Z/ Found at https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:26:22Z/ Found at https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:26:22Z/ Found at https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:26:22Z/ Found at https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2023-3446

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2023-3446

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://www.openssl.org/news/secadv/20230719.txt

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:26:22Z/ Found at https://www.openssl.org/news/secadv/20230719.txt

Exploit Prediction Scoring System (EPSS)

Percentile	0.50635
EPSS Score	0.00140
Published At	Nov. 1, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.